The ospf authentication-mode command sets the authentication mode and password used between neighboring nodes.
The ospf authentication-mode null command configures the null authentication mode on an interface.
The undo ospf authentication-mode command deletes the authentication mode from an interface.
By default, an interface does not authenticate OSPF packets.
ospf authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]
ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]
ospf authentication-mode null
ospf authentication-mode keychain keychain-name
undo ospf authentication-mode
| Parameter | Description | Value |
|---|---|---|
| plain |
Indicates the plaintext authentication. When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in plaintext if you select plaintext mode, which has a high risk. To ensure device security, change the password periodically. |
Simple authentication defaults to use a ciphertext. |
| plain-text |
Specifies a plaintext. |
The value is a string of characters.
A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| cipher |
Configures the ciphertext mode. You can type in a plaintext or ciphertext, but it is displayed as the ciphertext in the configuration file. |
MD5, HMAC-MD5, or HMAC-SHA256 authentication defaults to use a ciphertext. |
| cipher-text |
Specifies a ciphertext. |
The value is a string of characters.
A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| simple |
Indicates simple authentication.
|
- |
| md5 |
Indicates MD5 authentication. For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended. |
Because $@$@ is used to distinguish old and new passwords in an upgrade, an MD5 authentication password must not start and end with $@$@. |
| hmac-md5 |
Indicates HMAC-MD5 authentication. For the sake of security, using the HMAC-SHA256 algorithm rather than the HMAC-MD5 algorithm is recommended. |
- |
| hmac-sha256 |
Indicates HMAC-SHA256 authentication using a ciphertext. |
- |
| key-id |
Specifies an authentication key ID of the cipher authentication of the interface. The key ID must be consistent with that of the neighbor. |
The value is an integer ranging from 1 to 255. |
| null |
Indicates the null authentication mode. |
- |
| keychain |
Configures keychain authentication. Before configuring this parameter, run the keychain command to create a keychain, and run the key-id, key-string, and algorithm commands to configure the key ID, password, and authentication algorithm for the keychain. Otherwise, OSPF authentication fails. Currently, OSPF supports the MD5, SHA-1, SHA-256, SM3, HMAC-MD5, HMAC-SHA1-12, HMAC-SHA1-20, and HMAC-SHA256 algorithms. If the dependent keychain is deleted, the established peer relationship may be disconnected. Therefore, exercise caution when performing this operation. |
- |
| keychain-name |
Specifies the keychain name. |
The value is a string of 1 to 47 case-insensitive characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
100GE interface view, 10GE interface view, 25GE sub-interface view, 25GE interface view, 400GE interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE electrical interface view, GMPLS-UNI interface view, Global VE sub-interface view, Loopback interface view, Tunnel interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view
Usage Scenario
Due to inherent defects and flawed implementation of the TCP/IP protocol suite, there are an increasing number of attacks, which poses greater threats on TCP/IP networks than ever before. The attacks on network devices may lead to network failures. To configure an authentication mode and a password for an OSPF interface to improve OSPF network security, run the ospf authentication-mode command.
Configuration Impact
Interface authentication is used to set authentication mode and password used between neighboring devices. It takes precedence over area authentication. If both interface authentication and area authentication are configured, the authentication succeeds as long as the interface authentication succeeds. If authentication is configured on an interface, OSPFv3 neighbor relationships can be established on the interface as long as interface authentication succeeds, regardless of the area authentication configuration or whether area authentication is configured.
Precautions
Null authentication is also an authentication method. It does not indicate that no authentication is configured.
The authentication mode and password configured on the device interfaces on the same network segment must be the same.